|
Credit card fraud is not a new phenomenon. However, e-commerce has ushered in an era where data theft can be carried out on a global scale. Just as companies processing credit card information couldn’t protect consumers in the world of paper receipts, they lack the skills to do so in the electronic age. To make matters worse, as the raw number of credit card-based transactions has increased online, credit card issuers are feeling the sting of the accompanying rise in online credit card fraud.
To cut down on fraud and increase consumer protection, a consortium of payment card providers collaborated to develop the Payment Card Industry Data Security Standard (PCI DSS), to ensure that companies protect credit card data during storage, processing, and transmission. PCI DSS is predicated on solid infrastructure and information security principles that begin with network- and application-layer firewalls. Secure Computing’s award-winning Sidewinder® appliance can meet the needs of any company required to comply with PCI DSS.
Over the last 15 years, e-commerce has proliferated rapidly, bringing an explosion of online financial transactions being processed around the world. Almost all online transac-tions involve the use of credit and debit cards. Whether the cards are used for purchasing video games, food, services, or vacations, they have become an integral part of online com-merce. However, along with increased use of credit cards for online transactions come increased opportunities for criminals to exploit vulnerabilities in merchant networks.
With growing threats to consumer information, identity theft is increasing and consumers are losing confidence in the ability of businesses, especially online businesses, to protect their identity and credit card information. The US Federal Trade Commission (FTC) fielded over 650,000 complaints in 2004, 680,000 in 2005, and 670,000 com-plaints in 2006; roughly 35 percent of these complaints were related to identity theft. Considering that these numbers are a mere fraction of the total number of identity thefts, this does not paint a pretty picture for protecting the American consumer’s personal financial information. Especially when many of the cases that were reported were a result of data breaches of credit card information.
Credit card fraud and identity theft not only concern consumers but also businesses. The cost of notifying customers of a data breach and cleaning up the mess can run as high as $150-$300 per customer. In 2006, breaches cost American businesses over $5 billion, and businesses in the UK lost over 1.7 billion pounds. One of the highest-profile data breaches came early in 2007, with the TJX Companies reporting a hole that gave hackers access to as many as 94 million customer records. The breach cost the company an estimated $140 million. These expenses caused the firm’s second-quarter profits to fall 14 percent; had these expenses not been incurred, profits would have risen 31 percent.
To combat this trend, PCI compliance was instituted in 2005, when Visa, MasterCard, American Express, Diner’s Club, Discover, and JCB collaborated to create a new set of standards that would prevent credit card fraud. The PCI DSS was born, and all merchants and service providers that handle, transmit, store, or process information concerning payment cards or their related data are expected to comply with the 12 requirements laid out in the data security standard.
Businesses that do no comply can face monetary penalties, an increase in card-processing fees, and/or have their card-processing privileges terminated. Fines for non-compliance can run as high as $25,000 a month, and service penal-ties can cost credit card processors even more. For smaller companies, these costs can be devastating; and some larger companies, unfortunately, find that it is cheaper to pay the penalties than to comply with the standard, according to an August 2006 report from the IT Compliance Institute.1
Inside PCI DSS
For the most part, the PCI DSS is a list of security best practices, many of which have been widely urged and implemented for a number of years. These solid fun-damentals of network and information security aren’t just expensive exercises; they represent a comprehensive approach that will help companies reduce risk, and they ought to be in place across all industries. However, the PCI DSS does not go into excessive detail or provide clearly organized recommendations.
|
